sign in sign up
<<
Home , Information system

OFFICIAL RELEASE

Interpretation Services

AICPA Professional Ethics Division

Effective on January 1, 2021. Early implementation is allowed

1 | Official Release — Information Services Interpretation

Copyright  2019 by American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 Permission is granted to make copies of this work provided that such copies are for personal, intra-organizational, or educational use only and are not sold or disseminated and provided further that each copy bears the following credit line: “Copyright  2019 by the American Institute of Certified Public Accountants, Inc. Used with permission.”

2 | Official Release — Information Systems Services Interpretation

June 2019

Ethics interpretations and other guidance are promulgated by the executive committee of the Professional Ethics Division to provide guidelines about the scope and application of the rules but are not intended to limit such scope or application. Publication in the Journal of Accountancy constitutes notice to members. A member who departs from such guidelines shall have the burden of justifying such departure in any disciplinary hearing.

The Professional Ethics Executive Committee adopted the revised interpretation “Information System Services,” formerly “Information Systems Design, Implementation, or Integration” (ET sec. 1.295.145) under the “Independence Rule” (ET sec. 1.200.001) at its May 2019 meeting.

The revised interpretation is effective January 1, 2021 and early implementation is allowed. The revised interpretation will be added to the AICPA Code of Professional Conduct with the June 2019 update. Notice of the new interpretation will appear in the August 2019 Journal of Accountancy.

3 | Official Release — Information Systems Services Interpretation

Text of Revised Interpretation “Information Systems Services”

Additions in bold italic and deletions in strikethrough found in the paragraphs below are to the text of the proposed interpretation that was included in the March 15, 2018, exposure draft.

1.295.145 Information Systems Services Design, Implementation, or Integration

Introduction

.01 Self-review and management participation threats to the member’s compliance with the “Independence Rule” [1.200.001] may exist when a member provides nonattest services related to an attest client's information systems. .02 This interpretation applies to all attest engagements, including those in which the subject matter of the engagement is not financial statements. In these cases, the member should define a financial information system as any information system that is subject to the member’s attest procedures considering the relevant factors in paragraph .03a.

Terminology

.03 The following terms are defined solely for the purpose of applying this interpretation: a. A financial information system (FIS) is a system that aggregates source underlying the financial statements or generates information that is significant to either the financial statements or financial processes as a whole. An FIS includes a tool that calculates results unless To determine whether a nonattest service is related to a financial information system, members may consider factors, such as whether the nonattest service will affect the following: i. the tool performs only discrete calculations; ii. the attest client evaluates and accepts responsibility for the input and assumptions; and iii. the attest client has sufficient information to understand the calculation and the results.

i. System controls or system output that will be subject to attest procedures ii. A system that generates data that are used as an input to the financial statements iii. A system that gathers data that assist management in making decisions that directly impact financial reporting iv. A system that is part of the attest client's internal controls over financial reporting b. Designing an information system means determining how a system or transaction will function, data, and produce results (for example, reports, journal vouchers, and documents such as sales and purchase orders) to provide a blueprint or schematic for the development of software code (programs) and data structures. c. Developing an information system entails creating software code, for individual or multiple modules, and testing such code to confirm it is functioning as designed. d. Commercial off-the-shelf (COTS) refers to a software package developed, distributed, maintained, and supported by an entity or entities that are not the member or member’s firm (a third-party vendor), sometimes simply referred to as an “off-the-shelf” package or solution. COTS solutions have generally referred to traditional on-premise software that runs on a customer’s own or on a third-party vendor’s “cloud” infrastructure. COTS

4 | Official Release — Information Systems Services Interpretation

solutions range from software packages that require only installation on a and are ready to run to large-scale, complex enterprise applications.

Design, Development, or Implementation Services Not Related to an Financial Information System FIS

.04 When performing design, development, or implementation services described in this interpretation for an attest client that are not related to an FIS financial information system, threats to compliance with the “Independence Rule” [1.200.001] would be at an acceptable level provided all requirements of the "Nonattest Services" subtopic [1.295] of the “Independence Rule” are met, including that the attest client has not outsourced a function, process, or activity to the member, which in effect would result in the member assuming a management responsibility.

Designs or Develops an Financial Information System FIS

.05 When a member designs or develops an attest client's FIS financial information system, threats to compliance with the “Independence Rule” [1.200.001] would not be at an acceptable level and could not be reduced to an acceptable level by the application of safeguards and independence would be impaired. Designing and developing a template that performs a discrete calculation such as a tax provision or depreciation calculation does not constitute designing or developing a financial information system and will not impair independence, provided the template does not perform an activity that, if performed directly by the member, would impair independence and the member complies with all the requirements of the "Nonattest Services" subtopic [1.295] of the “Independence Rule”. .06 To determine whether a nonattest service is related to an FIS financial information system, members should may consider all relevant factors, such as whether the nonattest service will affect the following: a. System controls or system output that will be subject to attest procedures. b. A system that generates data that are used as input to the financial statements, including data or information that is either reflected in or used in determining amounts and disclosures included in the financial statements. c. A data-gathering system that gathers data, such as an analytical or reporting tool, that is used in assist management’s decision-making in making about matters that could significantly decisions that directly affect impacting financial reporting. d. A system that is part of the attest client's internal controls over financial reporting, including information systems used to effect internal controls over financial reporting (for example, a system used to ensure that information produced for the financial statements is accurate). However, information systems used only in connection with controlling the efficiency and effectiveness of operations are considered unrelated to the financial statements and records.

Implementation of a COTS Financial Information System FIS Software Solution

.07 Implementation services involve activities related to an attest client's information systems after the design and development of the system. Implementation ceases when the system is available on a regular basis to the attest client for its intended use. For example, implementation services can include activities such as installing, configuring, interfacing, customizing, and data translation. Services that are performed post-implementation, such as the maintenance, support, and monitoring of the system, are not considered to be implementation services.

5 | Official Release — Information Systems Services Interpretation

.08 Threats created by certain COTS implementation services related to the attest client's FIS financial information system may be reduced to an acceptable level by the application of safeguards; however, in other situations, threats to compliance with the “Independence Rule” [1.200.001] would be significant and could not be reduced to an acceptable level by the application of safeguards. These situations are addressed in paragraphs .09 through .20 of this interpretation.

Install a COTS Financial Information System FIS Software Solution

.09 To install a COTS FIS financial information system software solution means the initial loading of software on a the client’s designated hosting site computer, normally onto a customer’s server. Software configuration, integration, and conversion activities may follow installation.

.10 When a member installs a COTS FIS financial information system software solution, threats to compliance with the “Independence Rule” [1.200.001] would be at an acceptable level, provided all requirements of the "Nonattest Services" subtopic [1.295] of the “Independence Rule” are met.

Configure a COTS Financial Information System FIS Software Solution

.11 To configure a COTS FIS financial information system software solution means selecting inputting the client-selected the software features, functionality options, and settings within the third-party vendor’s softwareprovided by the vendor,that which will determines how the software will perform certain transactions and process data. Configuration options may also include selecting the predefined format of certain data attributes and the inclusion or exclusion of such attributes. For purposes of this interpretation, However, if the member were to configuring a COTS financial information system software solution does not involve design or developing new software code or features to modify or alter the functionality of the COTS software solution in ways not predefined by the third-party vendor, this would be considered designing or developing activities, as described in items (b)–(c) of paragraph .03.

.12 When a member configures a COTS FIS financial information system software solution based on client-selected features, functionality options, and settings within the third-party vendor’s software, threats to compliance with the “Independence Rule” [1.200.001] would be at an acceptable level provided all requirements of the "Nonattest Services" subtopic [1.295] of the “Independence Rule” are met.

Customize a COTS Financial Information System FIS Software Solution

.13 To customize a COTS FIS financial information system software solution means to modify or enhance altering or adding to the features and functions in ways that go beyond the provided for by the vendor, that go beyond all options provided by the third-party vendor available when configuring the COTS software solution. For purposes of this interpretation, customizing can involve both modification and enhancements: a. Modification involves altering the COTS software solution code to change or add to the functionality provided by the third-party vendor. b. Enhancements involve developing new code, external to the COTS software solution, that works in concert with the COTS software solution to provide altered or additional functionality.

.14 If a member customizes an attest client's COTS FIS financial information system software solution, threats to compliance with the “Independence Rule” [1.200.001] would not be at an acceptable level

6 | Official Release — Information Systems Services Interpretation

and could not be reduced to an acceptable level by the application of safeguards; independence would be impaired.

Interface a COTS Financial Information System FIS Software Solution

.15 Providing interface services for a COTS FIS financial information system software solution means connecting two or more systems by designing and developing software code that passes data from one system to another. Interfaces may flow in one direction or be bidirectional. Interfaces may involve the performance of an end-to-end transaction or they may pass data from one system to another.

.16 If a member provides interface services for a COTS FIS financial information system software solution, threats to compliance with the “Independence Rule” [1.200.001] would not be at an acceptable level and could not be reduced to an acceptable level by the application of safeguards; independence would be impaired except as provided for in paragraph .157.

.17 If a member uses an third-party vendor’s application, such as an application programming interface (API), program interface (API) that is developed by a third party to interface legacy or third-party COTS FIS financial information system software solutions, threats to independence would be at an acceptable level, provided the member will not be designing or developing code for the application API to work and all requirements of the "Nonattest Services" subtopic [1.295] of the “Independence Rule” [1.200.001] are met.

Data Translation Services Related to a COTS Financial Information System FIS Software Solution

.18 Performing data translation services for a COTS FIS financial information system software solution involves designing and developing the rules or logic necessary to convert legacy system data to a format that is compatible with that of the new system.

.19 If a member performs data translation services for a COTS FIS financial information system software solution, threats to compliance with the “Independence Rule” [1.200.001] would not be at an acceptable level and could not be reduced to an acceptable level by the application of safeguards and independence would be impaired except as provided for in paragraph .2018.

.20 If a member uses an third-party vendor’s API application, such as an API, developed by a third party to perform data translation services for a COTS FIS financial information system software solution, threats to independence would be at an acceptable level, provided the member will not be designing or developing code for the application API to work and all the requirements of the "Nonattest Services" subtopic [1.295] of the “Independence Rule” [1.200.001] are met.

System and Network Maintenance, Support, and Monitoring

.21 Maintenance, support, and monitoring services are activities that are provided after a financial or nonfinancial system or network is implemented. If post-implementation services involve the attest client outsourcing an ongoing function, process, or activity to the member that in effect would result in the member assuming a management responsibility, compliance with the “Independence Rule” [1.200.001] would not be at an acceptable level and could not be reduced to an acceptable level by the application of safeguards and independence would be impaired. Examples of such services that involve an ongoing function, process, or activity that in effect would result in the member assuming

7 | Official Release — Information Systems Services Interpretation

a management responsibility would include services in which a service whereby the member directly or indirectly does any of the following: a. Operates the attest client's network, such as managing the attest client’s systems or software applications b. Supervises client personnel involved in the operation of the attest client's information systems c. Has responsibility for monitoring or maintaining the attest client's d. Operates or manages the attest client’s help desk e. Has responsibility to perform ongoing network maintenance, such as updating virus protection solutions, applying routine updates and patches, or configuring user settings f. Has responsibility for maintaining the security of the attest client’s networks and systems

.22 Independence will not be impaired provided all requirements of the "Nonattest Services" subtopic [1.295] of the “Independence Rule” [1.200.001] are met and the maintenance, support, and or monitoring services are discrete, nonrecurring individually separate, distinct, and not ongoing engagements in for which the attest client has outsourced no function, process, or activity to the member that in effect would result in the member assuming a management responsibility. Examples of such services that woulddo not impair independence may include being engaged for a discrete project to do any of the following services: a. Analyzinge a network and providinge observations or recommendations b. Applying virus protection solutions or updates that the member did not design or develop c. Applying certain updates and patches that the member did not design or develop d. Providinge advice, training, or instruction on a new software solution e. Assessing the design or operating effectiveness of an attest client’s security over information technology systems f. Assessing the attest client’s information technology security or practices

Nonauthoritative questions and answers regarding information systems design, implementation, and integration services are available at www.aicpa.org/InterestAreas/ ProfessionalEthics/Resources/Tools/DownloadableDocuments/ NonattestServicesFAQs.pdf.

[See Revision History Table.]

8 | Official Release — Information Systems Services Interpretation